On Wed, Jun 09, 1999 at 01:26:56PM -0400, Steven M. Christey wrote:
| Here's the first review that came in from Steve Northcutt. I've
| forwarded it along to the list. I'll comment on his non-ACCEPTs
| later.
I comment here only on Steve's non-accepts, and will add full comments
on the bulk later.
| ------------------------------------------
| Candidate: CAN-1999-0017
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: SF
| Reference: CERT:CA-97.27.FTP_bounce
| Reference: XF:ftp-bounce
| Reference: XF:ftp-privileged-port
|
| FTP bounce attack to connect to arbitrary ports on machines other than
| the FTP client.
| MODIFY - the primary vulnerability is in some FTP server implementations
| that allow this as opposed to the actual connecting to the ports
I don't think that the text of the CVE entry says where the
vulnerability is, and have NO OPINION here.
| Candidate: CAN-1999-0067
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: SF
| Reference: CERT:CA-96.06.cgi_example_code
| Reference: XF:http-cgi-phf
|
| CGI phf program allows remote command execution
| MODIFY, this is not about phf it is about escape_shell_cmd(),
| you had the same thing with php and so forth.
I disagree, failure to properly handle shell commands in input is not
the appropriate level of abstraction, and suggest ACCEPT
| ------------------------------------------
| Candidate: CAN-1999-0513
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: CF
| Reference: CERT:CA-98.01.smurf
| Reference: FreeBSD:FreeBSD-SA-98:06
| Reference: XF:smurf
|
| ICMP messages to broadcast addresses are allowed, allowing for a
| Smurf attack that can cause a denial of service.
|
| MODIFY - If you put it this way then ping mapping becomes part of
| smurf. I would consider calling the vulnerability ICMP to broadcast
| addresses
| and in the text state allowing for a Smurf denial or service or ICMP ping
| mapping
| to acquire intelligence data about a network.
I believe that ping mapping is indeed part of smurf, and suggest ACCEPT.